Tcpdump to Wireshark – Interface name not displayed.
-
I am trying to analyse packets on two or more interfaces simultaneously. It appears to me that tcpdump is a good tool to use for this purpose. After SSHing into my pfSense 2.7.2 I have successfully created a pcap file using tcpdump that opens fine in Wireshark. My problem is that I cannot get an Interface label to display in Wireshark. I have created a custom column and linked it to frame.interface_id but unfortunately the column is blank. I don’t particularly mind what id format gets displayed as long as it allows me to distinguish between interfaces. It will be great if someone can suggest the way ahead.
I have just now opened a pcap created with pfSense Packet Capture and the blank column result is the same.
-
@BrucexLing when using
tcpdumpyou capture traffic on one interface. And with that the interface used is already clear (and it is not saved).Or: how do you run
tcpdump? -
I thought I saw somewhere you could include something like "-i igb2 -i ovpnc1" in the tcpdump command line to listen on 2 interfaces. If I can't do that I'll need to rethink things.
-
@BrucexLing said in Tcpdump to Wireshark – Interface name not displayed.:
I thought I saw somewhere you could include something like "-i igb2 -i ovpnc1" in the tcpdump command line to listen on 2 interfaces.
Subsequent use of -i overrides any prior use of -i. In other words, tcpdump will only use the last interface specified on the command line. So in the example you used, you will only capture packets from interface
ovpnc1.On some systems tcpdump can collect packets from all interfaces using a special interface named
any, but pfSense/FreeBSD isn't one of them. -
Thank you guys for putting me straight on this one. I’ll now progress to merging capture files. That did seem quite daunting initially, but I am now looking forward to giving it a go. Would I be right in thinking that the merging process will somehow tag the interfaces so they can be distinguished in the final Wireshark result?
-
@BrucexLing said in Tcpdump to Wireshark – Interface name not displayed.:
merging process will somehow tag the interfaces so they can be distinguished in the final Wireshark result?
I don't think it would do that. wireshark doesn't have any idea about which interface it was captured on.
But you would be able to tell which interface by the mac address in the capture. If you're your trying to capture an in out sort of deal.
You might be able to add a label to all the packets in the first one, then add the 2nd capture.
edit: here quick example.. I captured on my lan interface igb0, and interface igb2 - I then pinged from box on ig0 (192.168.9.100) to box on igb2 network (192.168.2.13)
I loaded the first pcap - then added a comment (which you can view in your columns by adding frame.comment). I then merged the igb2 pcap.
As you can see the ones captured on igb0 are marked with a comment, and ones on igb2 not.
But notice I can tell which interfaces on pfsense were used by the mac address. Packet 1 there is destination to my igb0 on e6:24, and the one outbound from igb2 interface (packet 2) is source of e6:20 (pfsense igb2 interface)
-
Many thanks John. In my situation I have one physical interface and one vpn. What I have found is that after a merge of two pcapngs that the term frame.interface_id is either 0 or 1 depending on whether frame is for physical or vpn respectively.
